Vulnerability Description
Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their account when accepting the invitation. All users should upgrade to the latest version. A workaround is temporarily disabling invitations with `SiteSetting.max_invites_per_day = 0` or scope them to individual email addresses.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Discourse | Discourse | < 2.8.10 |
Related Weaknesses (CWE)
References
- https://github.com/discourse/discourse/pull/18817PatchThird Party Advisory
- https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278Third Party Advisory
- https://github.com/discourse/discourse/pull/18817PatchThird Party Advisory
- https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278Third Party Advisory
FAQ
What is CVE-2022-39356?
CVE-2022-39356 is a vulnerability with a CVSS score of 8.9 (HIGH). Discourse is a platform for community discussion. Users who receive an invitation link that is not scoped to a single email address can enter any non-admin user's email and gain access to their accoun...
How severe is CVE-2022-39356?
CVE-2022-39356 has been rated HIGH with a CVSS base score of 8.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39356?
Check the references section above for vendor advisories and patch information. Affected products include: Discourse Discourse.